How many hops does that make to the Internet for the Internal network PC's? Amy Harbor Computer Services Small Business Computer Specialists Client Blog: http://smalltechnotes.blogspot.com/ Tech Blog: http://isainsbs.blogspot.com/ Website: http://www.harborcomputerservices.net/ -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, December 07, 2005 8:06 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: External Network Logic http://www.ISAserver.org OK- just so we're on the same page-- I'm not talking about my back-to-back DMZ config that does indeed have a DMZ Perimeter network on the BE ISA for my FE Exchange server. That's done. I'm not talking about a NEW box going into my internal network to physically separate client systems from server systems. That's the one I was talking about having 2 nics with no "External" resources. t ----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, December 07, 2005 4:41 PM Subject: [isalist] RE: External Network Logic > http://www.ISAserver.org > > This isn't a back-to-back config. This is a single server going in > between my clients and my servers... There won't be a way to "NAT to the > Internet" in that config as the only defined rule will be a route > relationship from the Perimeter to the Internal. > > I understand the concept that "Internet" is is the default gateway, but in > this case, there can't be a "Nat" relationship anywhere. > t > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 07, 2005 4:25 PM > Subject: [isalist] RE: External Network Logic > > > http://www.ISAserver.org > > No, the Internet is always there, unless you're talking about a > caponized ISA firewall (single NIC). > > The Internet is reached via the NIC with the default gateway defined on > it, which in a back to back config would be the internal interface of > the FE ISA firewall. > > There is one point of confusion induced by the UI -- and that's the > ability to create an "external Network". There is no difference from > the firewall's point of view between a perimeter Network and an external > Network. So, you can create another external Network if you like, but > its *exactly the same* as a perimeter network from ISA's multinetworking > point of view. The default External Network is always there (except for > the unihomed ISA firewall). > > For example, if a client on the default Internal Network connects to a > host on the perimeter network between the ISA firewalls, the connections > are routed and the source IP address is not replaced. If a host on the > default internal Network connects to an IP addresses that is part of the > default External Network (which is the Internet) the connection will be > NATed. > > The ISA firewall's ability to enable control over your route > relationships really does give you a lot of flexibility. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> Sent: Wednesday, December 07, 2005 5:39 PM >> To: [ISAserver.org Discussion List] >> Subject: [isalist] RE: External Network Logic >> >> http://www.ISAserver.org >> >> One thing though, just so I understand-- How would I NAT to >> the Internet? >> There *is no* "Internet" per se in a 2 NIC config with both >> defined as ISA >> Firewall Networks, right? There would be route relationship from the >> Internal to the DMZ Perimeter. The Internet would only exist if an >> Interface was added and not defined elsewhere, correct? >> t >> >> ----- Original Message ----- >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >> Sent: Wednesday, December 07, 2005 3:01 PM >> Subject: [isalist] RE: External Network Logic >> >> >> http://www.ISAserver.org >> >> The default External Network is defined as all addresses that >> defined by >> any other ISA firewall Network. So, there is still an >> external network, >> you just don't have any access to it, since you've created >> ISA firewall >> Networks for both the NIC (one for the default Internal >> Network and one >> for the ISA firewall Network representing the perimeter network NIC). >> >> You can use this in a number of scenarios, like turning the >> DMZ between >> the BE and FE ISA firewall into an ISA firewall Network and creating a >> route Network Rule between that and the default Internal Network, but >> still NAT'ing to the Internet. Pretty slick, eh? >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://spaces.msn.com/members/drisa/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> **Who is John Galt?** >> >> >> >> > -----Original Message----- >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> > Sent: Wednesday, December 07, 2005 4:57 PM >> > To: [ISAserver.org Discussion List] >> > Subject: [isalist] External Network Logic >> > >> > http://www.ISAserver.org >> > >> > So, you've got ISA with 2 NIC's. You define the Internal >> > range on one NIC, >> > leaving the other NIC as "External." You then add a >> > perimeter network, and >> > give it the IP range of what used to be the "External" NIC. >> > What happens to >> > the concept of the External network since you now have a >> > trusted Internal >> > network and a less trusted "Perimeter" network, but no real >> > "External" >> > network anymore. Will it just be an "empty" network set >> > sitting there all >> > alone in the cold, cold ground? >> > >> > t >> > >> > >> > ------------------------------------------------------ >> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> > ------------------------------------------------------ >> > Visit TechGenix.com for more information about our other sites: >> > http://www.techgenix.com >> > ------------------------------------------------------ >> > You are currently subscribed to this ISAserver.org Discussion >> > List as: tshinder@xxxxxxxxxxxxxxxxxx >> > To unsubscribe visit >> > http://www.webelists.com/cgi/lyris.pl?enter=isalist >> > Report abuse to listadmin@xxxxxxxxxxxxx >> > >> > >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: >> thor@xxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> >> >> ------------------------------------------------------ >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: tshinder@xxxxxxxxxxxxxxxxxx >> To unsubscribe visit >> http://www.webelists.com/cgi/lyris.pl?enter=isalist >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx